As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.
(©Hollenshead: Courtesy of NYU Photo Bureau)
On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, and whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel titled The NYDFS Cybersecurity Rule Amendments and Their Implications for Firms Beyond the Financial Sector share further thoughts on the issue.
Left to right: Justin Herring, Matthew Levine, Cheryl James, Edward Stroz, and Alexander Southwell (Moderator)(©Hollenshead: Courtesy of NYU Photo Bureau)
Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.
Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)
by Edward Stroz and Carl S. Young
Edward Stroz
Those of us who are board of director members and who also advise boards on cyber security risk management have been subjected to a steady drumbeat regarding our responsibility to ensure appropriate board oversight. Recent cyber risk management guidance from the US Securities and Exchange Commission (SEC) is just one of multiple examples of enhanced requirements regarding security disclosures by public companies.
Boards of directors are certainly capable of assessing cybersecurity risk when each member is appropriately informed on the relevant issues. Unfortunately, communications about cybersecurity risk are frequently neither informative nor clear to the intended audience. To fulfill their governance responsibilities and to overcome this communication gap, boards must identify cybersecurity priorities in the near term while ensuring the underlying drivers of cybersecurity risk are addressed in the long-term by the risk management strategy. In our view, to accomplish these near and long-term objectives requires three areas of focus.